The phone numbers of nearly 1,900 users of the secure messaging app Signal may have been made public due to a successful phishing assault at SMS service provider Twilio, but Signal claims that this is the extent of the incident and that no other user data was accessible.
Signal reports that a recent successful (and well-resourced) phishing attack on Twilio gave hackers access to the phone numbers associated with 1,900 users in a Twitter thread and support document.
According to Signal, that is “a very small portion of Signal’s overall users,” and all 1,900 impacted individuals will be informed (by SMS) to re-register their devices. Like many other app developers, Signal sends SMS verification codes to users who register their Signal apps via Twilio.
Attackers with brief access to Twilio’s customer service console would have been able to activate Signal on a different device and consequently send or receive new Signal communications by using the verification numbers Twilio sent.
Alternately, a perpetrator can verify that these 1,900 phone numbers were in fact linked to Signal devices. The design of Signal, in large part, prevented access to any other data. The whole message history is kept on user devices.
A Signal PIN is required to access contact and block lists, profile information, and other user data. Additionally, Signal requests that users enable a registration lock, which stops new devices from accessing Signal until the user’s PIN has been correctly input.
According to Signal’s help page, “The kind of telecom assault seen by Twilio is a weakness that Signal designed features like registration lock and Signal PINs to protect against.
” Despite not being able to “directly fix the flaws affecting the telecom ecosystem,” the messaging service says that it will work with Twilio and other providers “to tighten up their security where it counts for our consumers.”
In May 2020, Signal PINs were introduced, in part to lessen the emphasis on using phone numbers as the primary user ID. This most recent incident might serve as another push to separate Signal’s robust security from the SMS environment, where widespread network breaches and inexpensive, efficient spoofing remain all too common.